Re: ipnat+ipfw + 3 gateways
On Mon, Dec 15, 2003 at 07:25:21AM -0800, hugle wrote:
> now about this script.
Let's reduce this this to pseudo code to simplify the discussion:
map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 (some ports) -> (gw2)
map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 (other ports) -> (gw1)
map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> (gw3)
> in MY opinion these rules should WORK. but as it seems, they don't
I assume that vlan0, fxp0 and rl1 are your *external* NICs?
I'll show what I have set up for comparison. I have two Internet
gateways and I do some source-routing by destination (not by port, as
you are trying to do). I'll leave out the IPFW traffic shaping for
simplicity. My ruleset is getting fairly complex these days ;-)
A bit of background: I bring in a /25 subnet across an OpenVPN tunnel
(where I run zebra/quagga OSPF routing ... some details at
http://www.rospa.ca/projects/). In order for me to use these additional
IPs on my internal network, I need to ensure that my gateway
source-routes them ('fwd' in IPFW parlance) to my tunnel-peer as my
regular default gateway would packet filter them out (a surprisingly
sane policy for an ISP *grin*).
Key for the lines that follow:
* rl1 is my external NIC for the primary Internet gateway
* rl2 is my external NIC for the secondary Internet gateway
* tun6 is the tunnel that I bring a source-routed /25 in on
Here's the relevant part of my /etc/ipnat.rules. Note that I've obscured
external IPs by replacing them with a descriptive tag in ()'s:
### TCP/UDP
# Note that maps to rl2 only work because I have static routes that
# would route traffic for those particular destinations to the
# secondary gateway in any case ... the mapping just forces the correct
# source IP address to be used.
# ... specific destination #1
map rl2 from 192.168.23.0/24 to (net destination #1)/24 -> rl2/32
# ... specific destination #2
map rl2 from 192.168.23.0/24 to (net destination #2)/24 -> rl2/32
# ... specific destination #3
map rl2 from 192.168.23.0/24 to (host destination #3)/32 -> rl2/32
# Map all regular traffic out the primary Internet connection
map rl1 192.168.23.0/24 -> rl1/32 portmap tcp/udp 48000:5
### ICMP and other (on the primary internet connection)
map rl1 192.168.23.0/24 -> rl1/32
I set the static routes via rc.conf, a simplified version of which is:
### Routes
defaultrouter="(primary gateway)"
static_routes="destination1 destination2 destination3"
route_destination1="(net destination #1)/24 (secondary gateway)"
route_destination2="(net destination #2)/24 (secondary gateway)"
route_destination3="(host destination #3)/32 (secondary gateway)"
And here's the relevant part of my /etc/ipf.rules:
# Respond to traffic sent to the /25 via tun6
# Note that the "on 'interface'" has to be the one with my default route
# Note that I use a !/16 instead of a /24 as I have more than one
# internal class C (the meta-network)
pass out quick on rl1 to tun6 from (obscured)/25 to !192.168.0.0/16
# Respond to traffic sent to my secondary connection via the same IP
pass out quick on rl1 to rl2 from (obscured)/32 to any
-T
--
To imagine a human world without ethics, but in which life goes well, it
is necessary to suppose a golden age: a world without competition, or
causes of strife, or clashing desires, or envy or malice.
- Simon Blackburn (Ruling Passions)
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat+ipfw + 3 gateways
On Mon, Dec 15, 2003 at 08:15:33AM -0800, hugle wrote: > btw, why should i use forward? > cause system has ONE deufalt route, so if i nat via otehr interface, > teh packets don't know to wwhch GW they have to go. > > So maybe i need to add default gateways to other interfaces ? > > so i have: > default gw is 213.252.192.161 > and default gw for 213.252.192.142 is 213.252.192.141 > and deafult gw for 212.59.9.59 is 212.59.9.1 > You can't have more than one default gateway on a FreeBSD box, but you can add your own static routes. That looks to me to be the direction to go. :) Josh Paetzel ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat+ipfw + 3 gateways
On Sun, Dec 14, 2003 at 07:23:26PM -0500, fbsd_user wrote: > What do you think IPF is? That's the utility name used to load > filter rules into IPFILTER. > So you are doing just what I said. The original poster said > nothing about doing traffic shaping. > IPNAT will not function with out IPFILTER rules. At lease pass in > all on all interfaces. He listed none in his post. Unlike IPFW, IPF defaults to "open" (thus the reason for the IPFILTER_DEFAULT_BLOCK kernel option). Thus IPF won't be blocking any of the packets that IPNAT is NATing. For example, when I issue a `ipf -F a`, my IPNAT rules continue to function normally. -T -- The person who takes the banal and ordinary and illuminates it in a new way can terrify. We do not want our ideas changed. We feel threatened by such demands. "I already know the important things!" we say. Then Changer comes and throws our old ideas away. - The Zensufi Master ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipnat+ipfw + 3 gateways
What do you think IPF is? That's the utility name used to load filter rules into IPFILTER. So you are doing just what I said. The original poster said nothing about doing traffic shaping. IPNAT will not function with out IPFILTER rules. At lease pass in all on all interfaces. He listed none in his post. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tillman Hodgson Sent: Sunday, December 14, 2003 6:38 PM To: [EMAIL PROTECTED] Subject: Re: ipnat+ipfw + 3 gateways On Sun, Dec 14, 2003 at 06:01:08PM -0500, fbsd_user wrote: > I think you are confused. IPNAT is part of ipfilter firewall and > IPFW is an different firewall who has his own NATD function. You can > not use one part from one and the other part from the other one. > They work as an set, IPNAT/IPFILTER or IPFW/NATD. Your best bet is > to use IPNAT and it's firewall IPFILTER. Not necessarily true. I'm using IPF for packet filtering, IPNAT for NAT, and IPFW for traffic shaping on the same firewall. The order that a packet is mangled becomes important, but that's solved simply by being careful when designing the firewall. -T -- Draw bamboos for ten years, become a bamboo, then forget all about bamboos when you are drawing. Georges Duthuit ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipnat+ipfw + 3 gateways
On Sun, Dec 14, 2003 at 06:01:08PM -0500, fbsd_user wrote: > I think you are confused. IPNAT is part of ipfilter firewall and > IPFW is an different firewall who has his own NATD function. You can > not use one part from one and the other part from the other one. > They work as an set, IPNAT/IPFILTER or IPFW/NATD. Your best bet is > to use IPNAT and it's firewall IPFILTER. Not necessarily true. I'm using IPF for packet filtering, IPNAT for NAT, and IPFW for traffic shaping on the same firewall. The order that a packet is mangled becomes important, but that's solved simply by being careful when designing the firewall. -T -- Draw bamboos for ten years, become a bamboo, then forget all about bamboos when you are drawing. Georges Duthuit ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ipnat+ipfw + 3 gateways
I think you are confused. IPNAT is part of ipfilter firewall and IPFW is an different firewall who has his own NATD function. You can not use one part from one and the other part from the other one. They work as an set, IPNAT/IPFILTER or IPFW/NATD. Your best bet is to use IPNAT and it's firewall IPFILTER. http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of hugle Sent: Monday, December 15, 2003 3:42 AM To: [EMAIL PROTECTED] Subject: ipnat+ipfw + 3 gateways hello all. I'm trying to to smth like load balancing between 3 interfaces using ipnat and ipfw my gw's are: 213.252.192.161 on fxp0 with 213.252.192.162 213.252.192.141 on vlan0 with 213.252.192.142 212.59.9.1 on rl1 with 212.59.9.59 the ruleset i have is: in ipfw: ipfw add 1001 fwd 213.252.192.141 ip from 213.252.192.142 to any ipfw add 1002 fwd 213.252.192.161 ip from 213.252.192.162 to any ipfw add 1003 fwd 212.59.9.1 ip from 212.59.9.59 to any and ipnat.rules #games gw map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 53 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6111 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6112 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6113 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6114 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6115 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6116 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6117 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6118 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6119 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 4000 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 7787 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 7877 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 7887 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 27005 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 27015 -> 213.252.192.142/32 map vlan0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 27960 -> 213.252.192.142/32 #mail/web/irc/icq map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 22 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 25 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 79 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 81 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 110 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 443 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 2082 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 5050 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 5190 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 1863 -> 213.252.192.162/32 map fxp0 from 192.168.0.0/16 ! to 192.168.0.0/16 port = 6667 -> 213.252.192.162/32 #all other traffic go via gw3 map rl1 from 192.168.0.0/16 ! to 192.168.0.0/16 -> 212.59.9.59/32 -- I think there is smth wrong with my IPNAT rules. i'm probably doing smth wrong with those ports... Could anyone help me ? Thanks -- Best regards,Hugle ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
